System for randomly and dynamically checking configuration integrity of a gaming system

ABSTRACT

A method of periodically downloading dynamically generated executable modules at random intervals that perform system configuration integrity checks in a secure and verifiable manner is disclosed. The dynamically generated executable modules are created on a server machine and are themselves signed using industry standard PKI techniques, and contain hashing and encryption algorithms that are executed on the system to be checked to create a unique signature of the state of that system. The dynamically generated executable module returns the signature to the server machine from which it was downloaded. The server that is performing the system configuration integrity check maintains a database of expected system configurations and performs the same subset of hashing and encryption algorithms as contained in the dynamically generated executable module. The result returned by the downloaded executable module is compared to that computed locally, and an error condition is raised if they do not match.

PRIORITY CLAIM

The present application is a continuation of and claims priority under35 U.S.C. §120 to U.S. patent application Ser. No. 14/034,446, filed onSep. 22, 2013, and to be issued as U.S. Pat. No. 9,373,219, which is acontinuation of U.S. patent application Ser. No. 13/330,827 entitled“METHOD OF RANDOMLY AND DYNAMICALLY CHECKING CONFIGURATION INTEGRITY OFA GAMING SYSTEM,” filed on Dec. 20, 2011, issued as U.S. Pat. No.8,543,837 on Sep. 24, 2013, which is a divisional of and claims priorityunder 35 U.S.C. §120 to U.S. patent application Ser. No. 11/520,963entitled “METHOD OF RANDOMLY AND DYNAMICALLY CHECKING CONFIGURATIONINTEGRITY OF A GAMING SYSTEM,” filed on Sep. 13, 2006, issued as U.S.Pat. No. 8,117,461 on Feb. 14, 2012, all of which are incorporatedherein by reference in their entireties and for all purposes.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to gaming machines and more particularlyto methods of verifying the integrity of remote gaming machines.

2. Description of the Related Art

A common problem for ensuring that distributed computing systemcontinues to operate in a correct, secure and stable fashion arises dueto the ease with which individual computing devices (e.g., desk top workstations, portable client devices, server platforms, etc.) can haveconfiguration settings changed, hardware components added or removed andapplication software components installed or uninstalled.

The gaming industry, in particular, must conform to extensive regulationin multiple jurisdictions where ensuring that computing devices that aredeployed as part of a gaming system all conform exactly to pre-approvedhardware and software configuration. As the industry moves from systemslargely or entirely based on custom developed hardware and softwarecomponents towards the inclusion of more sophisticated commercial offthe shelf products, the difficulty of monitoring and controlling theconfiguration of those systems will greatly increase even as the needfor such monitoring becomes more severe.

To satisfy security and regulatory requirements in a gaming environment,a gaming machine must demonstrate sufficient safeguards that prevent anoperator or player of the gaming machine from manipulating the hardwareand software in a manner that gives them an unfair and some cases anillegal advantage. The gaming machine typically includes a means todetermine if the code it will execute is valid and whether the code hasbeen tampered with. If the code is not valid or has been tampered with,the gaming machine is believed to be compromised and game play isstopped or suspended. This can also trigger additional securityoperations.

Gaming safeguards come in a variety of forms. Gaming machines mayinclude security measures that detect physical intrusion. For example,gaming machines may include a security system that monitors securityswitches attached to access doors of the gaming machine. Gaming machinesmay also utilize evidence tape to physical detect tampering betweenvisits by a gaming regulator. The evidence tape is laid across a newlyinstalled memory device, and if broken indicates that that the memorydevice has been tampered with.

Gaming machines may also include security measures that detectelectronic intrusion. If the code is stored on a read only memory devicesuch as an EPROM, a unique signature can be determined for the codestored on the EPROM using a method such as a CRC. Then, prior toinstalling the EPROM on the gaming machine, the unique signature can becompared with an approved signature.

On less secure memory subsystems, trusted memory devices may be used toensure the authenticity of the code. Trusted memory devices andcontrolling circuitry are typically designed to not allow modificationof the code and data stored in the memory device while the memory deviceis installed in the gaming machine. The code and data stored in thesedevices may include authentication algorithms, random number generators,authentication keys, operating system kernels, etc. The purpose of thesetrusted memory devices is to provide gaming regulatory authorities aroot trusted authority within the computing environment of the slotmachine that can be tracked and verified as original. This may beaccomplished via removal of the trusted memory device from the slotmachine computer and verification of the secure memory device contentsis a separate third party verification device. Once the trusted memorydevice is verified as authentic, and based on the approval algorithmscontained in the trusted device, the gaming machine is allowed to verifythe authenticity of additional code and data that may be located in thegaming computer assembly such as code and data stored on hard diskdrives.

While these measures work well, there is desired improved systems andtechniques for ensuring that a gaming device continues to operate in acorrect, secure and stable fashion.

SUMMARY OF THE INVENTION

The invention relates, in one embodiment, to a method of ensuring thevalidity of a data set for use in a casino-type gaming system. Themethod includes installing a game data set at a gaming module. Themethod also includes providing an exact copy of at least a portion ofthe game data set at an oversight module. The method further includesrandomly and dynamically generating an integrity executable at theoversight module. The method additionally includes sending the integrityexecutable to the gaming module. Moreover, the method includes using theintegrity executable, computing a first outcome from the game data setat the gaming module.

The method also includes sending the first outcome to the oversightmodule and removing the integrity executable from the gaming moduleafter computing the first outcome. The method additionally includesusing the integrity executable, computing a second outcome from the gamedata set at the oversight module. The method further includes comparingthe first and second outcomes to determine whether the first and secondoutcomes match. If the first and second outcomes match, the methodincludes indicating that the game data set is authentic. If the firstand second outcomes do not match, the method includes indicating thatthe game data set is not authentic.

The invention relates, in another embodiment, to a method of performinga system configuration integrity check. The method includes, in a host,maintaining a database of expected system configurations of one or moreremote systems. The method also includes, in the host, randomly anddynamically generating an executable module containing an algorithm thatis configured to generate a unique signature of the state of aparticular remote system. The method further includes sending theexecutable module to the particular remote system. The methodadditionally includes in the particular remote system, executing theexecutable module so as to generate a unique signature of the state ofthe actual system configuration of the particular remote system. Themethod also includes returning the unique signature to the host anddeleting the executable module from the particular remote system. Themethod further includes, in the host, generating a unique signature ofthe state of the expected system configuration associated with theparticular remote system maintained on the database using the samealgorithm contained in the executable module. Moreover, the methodincludes, in the host, comparing the unique signature returned from theparticular remote system with the unique signature generated locally atthe host, and generating an error condition if the unique signatures donot match.

The invention relates, in another embodiment, to a server side method ofchecking the integrity of a client device. The method includes randomlyand dynamically generating an executable for checking the integrity of aclient device. The executable contains one or more algorithms to beperformed on at least a portion of a particular system configuration ofa particular client device. The method also includes communicating witha client device. The method further includes sending the executable toone or more particular client devices having the particular systemconfiguration. The method additionally includes looking for a reply fromthe one or more client devices in response to performing the executable.The reply includes the outcome of the executable. If a reply isreceived, the method includes determining whether the client device is atrusted device based on the outcome. If a reply not received within apreset amount of time, the method includes indicating that the device isno longer trusted. Moreover, the method includes sending a trustresponse to the client, the trust response indicating whether the clientis trusted or not trusted.

The invention relates, in another embodiment, to a client side method ofchecking the integrity of a client. The method includes providing asystem configuration. The method also includes randomly receiving adynamic executable from a server. The method further includes verifyingthe authenticity of the dynamic executable. The method additionallyincludes temporarily storing the dynamic executable. Moreover, themethod includes running the dynamic executable on at least a portion ofthe system configuration to obtain an outcome.

The method may also include sending the outcome to a server. The methodmay further include deleting the dynamic executable and the outcome. Themethod may additionally include receiving a trust response from aserver. The trust response indicates whether the client is trusted ornot trusted. If trusted, the method includes proceeding with standardclient operations. If not trusted, the method includes implementingsecurity measures.

The invention relates, in another embodiment, to a method for randomlyand dynamically generating an executable associated with testing theintegrity of a remote client device associated with gaming. The methodincludes randomly generating a request to check a particular remoteclient device. The method also includes consulting a systemconfiguration database containing an expected system configuration forthe particular remote client device. The method further includesrandomly selecting data to be checked from the expected systemconfiguration of the particular remote client device. The methodadditionally includes consulting an algorithm database containing aplurality of hashing and verification algorithms to be performed on theselect data. Moreover, the method includes randomly selecting one ormore algorithms to be performed on the select data, and compilingalgorithms into an executable.

The invention relates in another embodiment to a gaming system. Thegaming system includes an oversight module configured to randomlymonitor the integrity of one or more gaming modules operatively coupledto the oversight module to ensure that the gaming modules have not beencompromised. The oversight module randomly performs audits of at leastthe gaming code stored on the gaming modules. The audits indicatewhether the gaming code has been changed or altered from a knownconfiguration.

In some cases, the oversight module may include a gaming moduleconfiguration database having a copy of the gaming data for each gamingmodule. The oversight module may also include an algorithm database thatincludes a plurality of security algorithms. The oversight module mayfurther include an integrity check generator configured to randomly anddynamically generate integrity executables to be run on both theoversight module and the gaming module. The integrity executablecontains one or more security algorithms. The oversight module mayadditionally include a comparator that compares the results of theexecutable run on the oversight module and the gaming module. A matchindicates that the gaming module is trusted. A non match indicates thatthe gaming module is not trusted.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be readily understood by the following detaileddescription in conjunction with the accompanying drawings, wherein likereference numerals designate like structural elements, and in which:

FIG. 1 is a diagram of a gaming system, in accordance with oneembodiment of the present invention.

FIG. 2A is a diagram of a gaming system, in accordance with oneembodiment of the present invention.

FIG. 2B is a diagram of a gaming system, in accordance with oneembodiment of the present invention.

FIG. 3 is a method of checking the integrity of a computing device, inaccordance with one embodiment of the present invention.

FIG. 4 is a server side method of checking the integrity of a clientdevice, in accordance with one embodiment of the present invention.

FIG. 5 is a client side method of checking the integrity of a client, inaccordance with one embodiment of the present invention.

FIG. 6 is a method of randomly and dynamically generating an executablemodule associated with testing the integrity of a remote client device,in accordance with one embodiment of the present invention.

FIG. 7 is a method of generating a security code, in accordance with oneembodiment of the present invention.

FIG. 8 is a method of initiating a check at a server, in accordance withone embodiment of the present invention.

FIG. 9 is a method of performing a security check, in accordance withone embodiment of the present invention.

FIG. 10 is a method of combining Selector/Action pairs to create asingle Result, in accordance with one embodiment of the presentinvention.

FIG. 11 is a block diagram of a gaming device, in accordance with oneembodiment of the present invention.

FIG. 12 is a perspective view of an exemplary gaming machine, inaccordance with one embodiment of the present invention.

FIG. 13 is a simplified block diagram of an embodiment of a gamingmachine showing processing portions of a configuration/reconfigurationsystem, in accordance with one embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The proposed invention is a method of periodically downloadingdynamically generated executable modules at random intervals thatperform system configuration integrity checks in a secure and verifiablemanner. The dynamically generated executable modules are created on aserver machine and are themselves signed using industry standard PKItechniques, and contain randomly chosen subset from a repertoire ofproven hashing and encryption algorithms that are executed on the systemto be checked to create a unique signature of the state of that system.

The dynamically generated executable module then returns the signatureto the server machine from which it was downloaded and deletes itselffrom the system being checked. The next time such an executable moduleis downloaded, it will contain a different randomly chosen subset ofhashing and encryption algorithms.

The server that is performing the system configuration integrity checkmaintains a database of expected system configurations and will performthe same subset of hashing and encryption algorithms as contained in thedynamically generated executable module. The result returned by thedownloaded executable module will be compared to that computed locally,and an error condition will be raised if they do not match.

The invention relates to any computing device with a well definedhardware/software configuration that must be checked periodically forcorrectness and security of that configuration. This invention can beapplied in any computing environment regardless of hardware platform,operating system, application software configuration, or intendedpurpose. The only requirements are the ability to dynamically generateand compile an executable module on a server machine, the ability todownload the dynamically generated executable to a target machine whoseintegrity is to be verified, and the ability to communicate the resultof the integrity check back to the server machine.

Generally speaking, this system is designed to check devices that havetightly constrained system configurations with limited to no ability toalter, add or delete the contents (e.g., gaming machines) although itmay still be applied on devices that are loosely controlled systemconfigurations with total control on what is created, destroyed,installed, uninstalled, etc. (e.g., personal computers).

The invention is particularly suitable in the gaming industry whereensuring that computing devices that are deployed as part of a gamingsystem all conform exactly to pre approved hardware and softwareconfiguration. This is especially true as the gaming industry moves fromsystems largely or entirely based on custom developed hardware andsoftware components towards the inclusion of more sophisticatedcommercial off the shelf products, whose configuration is difficult tomonitor and control.

Embodiments of the invention are discussed below with reference to FIGS.1-13. However, those skilled in the art will readily appreciate that thedetailed description given herein with respect to these figures is forexplanatory purposes as the invention extends beyond these limitedembodiments.

FIG. 1 is a diagram of a gaming system 10, in accordance with oneembodiment of the present invention. The gaming system 10 includes anoversight module 12 that communicates with one of more gaming modules 14associated with operating a gaming machine. The oversight module 12 isconfigured to randomly monitor the integrity of the gaming modules 14 toensure that they have not been compromised. This is generallyaccomplished by overseeing or performing random dynamic audits of thegaming data and code 16 (e.g., software) stored at the gaming modules 14in communication with the oversight server 12. For example, to determineif the gaming data and code 16 has been altered or changed from a knownconfiguration.

The oversight module 12 includes a gaming module configuration database18. The gaming module configuration database 18 includes all or a part(subsets) of the data 16 stored at the gaming modules 14. The gamingmodule configuration database 18 may include a copy of the data for eachgaming module, or alternatively it may only include a single copy foreach type of gaming module. As should be appreciated, some gamingmodules are identical and therefore they contain the same set of data.For gaming modules of a different type, the gaming module configurationdatabase 18 typically includes at least one copy of the data for eachvariety of gaming module. In one embodiment, in order to ensure an exactreplica, the data is copied at the oversight module 12 at the same timethe data is installed at the gaming module 14.

The oversight module 12 also includes an integrity check generator 20.The integrity check generator 20 is configured to randomly anddynamically generate integrity executables to be run on both theoversight module 12 and the gaming module 14. By randomly, it is meantthat the executable can be generated at any time. It is not generatedperiodically at set intervals or times, and does not follow a pattern.By dynamically, it is meant that integrity executable is not static andchanges each time it is generated (e.g., uses a different set of ruleseach time).

In order to dynamically generate executables, the integrity checkgenerator 20 typically consults the gaming module configuration database18 to see what type of data to base the executable on. The executablemay be based on the entire data set or it may be based on one or moresubsets of the data. The integrity check generator 20 also consults analgorithm database 22 that includes a vast number of securityalgorithms. The algorithms may for example include a variety ofencryption and hash algorithms. Any number of security algorithms may beused in the executable. For example a single algorithm may be used, ormultiple algorithms may be used. The order in which the algorithms areperformed in the executable may also be selected. Any configuration ofalgorithms applied to any portion of the data may be used.

Once the executable is generated, it is stored and a copy is made. Thecopy is sent to the gaming module 14 where it is stored temporarily. Inorder to ensure that the executable is authentic and sent from a trustedsource, standard security measures including encryption and a public keyinfrastructure may be used. As shown, the oversight module 12 includes asecurity mechanism 24 and the gaming module 14 includes a securitymechanism 26 that may perform encryption/decryption when the executableis sent from the oversight module 12 to the gaming module 14. In thecase of PKI, the security mechanism 24 may include a public key thatencrypts the message, and the security mechanism 26 may include aprivate key that decrypts the message.

The executable is run on both the oversight module 12 and the gamingmodule 14. The executable run on the oversight module 12 uses the copieddata 16′ stored in the gaming module configuration database 18, and thegaming module 14 uses the actual data 16 stored at the gaming module 14.The result of the executable at the gaming module 14 is sent to theoversight module 12. This may be implemented using security measuressimilar to those mentioned above. Thereafter, the executable is erasedfrom the gaming module 14. This may be performed immediately afterrunning the executable or after a predetermined amount of time (e.g.,time out).

The oversight module 12 also includes a comparator 28. The comparator 28compares the results of the executable run on the oversight module 12with the result of the executable run at the gaming module 14. If thereis a match, the integrity of the gaming module 14 has not beencompromised and the gaming module 14 can be used for future gamingoperations. If there is no match or if the oversight module 12 has notreceived the results from the gaming module within a preset amount oftime, the integrity of the gaming module is believed to be compromisedand one or more security measures are implemented. The security measuresmay for example include terminating gaming operations, performing a selfdestruct, initiating audio and visual alarms, erasing data, etc.

The gaming system 10 described above may be widely varied. The gamingsystem 10 may be embodied as a single gaming machine that includes boththe oversight module 12 and the gaming module 14. The gaming system 10may also be embodied as a gaming network with server machines and remoteclient machines that communicate over wired or wireless connections. Inone example, a server machine includes the oversight module and a remoteclient machine includes the gaming module (e.g., gaming server/gamingmachine). In another example, the server machine includes both theoversight module and the gaming module and the remote client machinealso includes the gaming module (e.g., gaming machine/wireless handheldgaming machine). It should be appreciated that any combination may beused.

FIGS. 2A and 2B show two examples of gaming systems 50 which mayincorporate the present invention. The gaming system 50 of FIG. 2Aincludes a host game unit 52 (e.g., server) that communicates with oneor more remote gaming terminals 54 (e.g., client) The host game unit 52includes an oversight module 12 and each of the remote gaming terminalsincludes a gaming module 14, which can be based on the same or differentgames. The remote gaming terminals 54 may be gaming machines or stationsand/or portable gaming devices. For example, the gaming machines may bebox variety that are situated on the casino floor, and the portablegaming devices may be handheld wireless gaming units that can be movedabout the casino floor. Alternatively or additionally, the gamingmachines may be general purpose computers such as towers or desktopsfound in homes or offices and the portable gaming devices may be laptopcomputers, PDAs, cell phones, media players, etc.

The gaming system 50 of FIG. 2B includes a gaming terminal 54 thatcommunicates with a portable gaming device 56. The gaming terminal 54includes an oversight module 12 and the portable gaming device 56includes a gaming module 14. The gaming terminal 54 may additionallyinclude a gaming module 14. The gaming modules may share gamingfunctionality or they may be distinct (when one is on the other is off).The gaming terminal 54 may be a stand alone gaming machine or a gamingmachine in communication with a host game unit 52 (see FIG. 2A). In anyof these examples, the host device typically acts as a server machineand the target machine acts as a client machine.

FIG. 3 is a method 100 of checking the integrity of a computing device,in accordance with one embodiment of the present invention. The methodis generally discussed in context with a server/client model. Theserver/client model is a common form of a computer system in whichsoftware is split between server tasks and client tasks. The clienttypically sends requests to the server, and the server fulfills therequests. The client/server model can be used in a single computer, oracross multiple computers via a network. In a network, one or moreserver programs provide data to client programs installed on manycomputers throughout the network. Any suitable network may be used.

In the context of a gaming environment, the server may be a centralgaming server that communicates with a plurality of remote gamingterminals (clients). The terminal may download games from the centralgaming server or may rely on the central gaming server to partially orcompletely run the games. In the case of completely, the gaming terminalrelies completely on the server to perform all processing and outcomedeterminations, and typically consists solely of input, output andcommunication devices. Alternatively or additionally, the server may bea remote gaming terminal that communicates with a portable gaming devicesuch as a game player (client). The portable gaming device may downloadgames from the remote gaming terminal or may rely on the remote gamingterminal to partially or completely run the games. In the case ofcompletely, the gaming device relies completely on the server to performall processing and outcome determinations, and typically consists solelyof input, output and communication devices. Alternatively oradditionally, the server program and client program may be contained ina single gaming machine.

The method 100 begins at block 102 where a system configuration isloaded onto a remote client (e.g., remote gaming terminal). The systemconfiguration may include all software components or particular softwarecomponents such as those associated with operating a game. The methodproceeds to block 104 where a copy of at least a portion of the systemconfiguration is stored at a server (e.g., game server). If only aportion rather than the entire system configuration, the portion istypically the portion of the system configuration that cannot becompromised (e.g., gaming components).

Thereafter, in block 106, communications are provided between the serverand the remote client. The communications may occur internally within asingle system or externally though a network. Furthermore, thecommunication can occur through a wired or wireless connection.

Following block 106, the method proceeds to block 108 where a systemconfiguration check is generated at the server. The system configurationcheck is configured to perform checks that the server deems appropriate.The system configuration check is based on a particular systemconfiguration stored on the server (server needs to know just enoughabout the system configuration to generate the code to do the checking).The system configuration check is generally generated at randomlyvarying intervals. Furthermore, the check typically is dynamicallygenerated. That is, the check is not static and changes each time thecheck is generated. For example, the check can be configured to run ondifferent sets of data, using different sets of hashing and encryptionalgorithms.

Following block 108, the method proceeds to block 110 where the systemconfiguration check is performed at one or more remote gaming devices,which are in communication with the hosting device and which have theparticular system configuration from which the check is based. By way ofexample, the system configuration check is sent to the remote client,authenticated at the remote client and thereafter executed at the remoteclient. The system configuration check is configured to generate adistinct outcome, which can be used to verify the integrity of theremote client.

Thereafter, in block 112, the results of the system configuration checksare verified at the server. That is, the outcomes are checked to ensurethat the gaming devices have not been compromised. For example, anyerrors in the outcome may indicate that the remote client can no longerbe trusted while outcomes that do not include errors may indicate thatthe remote client can be trusted. The errors may for example bedetermined by performing the same system configuration check at theserver and comparing the outcome with the outcome returned from theremote client. Because the server contains the same system configurationas the client, and uses the same check, it knows what the outcome shouldbe for a given device. If the remote client can no longer be trusted114, security measures 116 are typically performed on the server and/orthe client. By way of example, the remote clients gaming software may beshut off, or erased, and the server may initiate an alarm to alertoperators or mangers of the system. If the remote client can be trusted118, operations are allowed to proceed at the client 120.

The method removes checking code from existing on the client and ratherthan running the same code each time a check is to be made, it runs adifferent checking code each time (e.g., the result is determineddifferently each time). Because different code is used for each time acheck is performed, it becomes extremely difficult to guess or determinewhat the result will be. As such, the method is very secure (e.g., hardto tamper with, reverse engineer or hack).

FIG. 4 is a server side method 150 of checking the integrity of a clientdevice, in accordance with one embodiment of the present invention. Themethod generally begins at block 152 where at least a portion ofexpected system configurations for one or more clients are stored at theserver. The expected system configurations may be stored partially or intheir entirety. By way of example, they may be stored in a systemconfiguration database. The expected system configurations may be copiedto the server the same time they are written to the client.

At the bare minimum, the data that is stored is typically the data orcode that needs to be protected and more importantly data that shouldnot be compromised (e.g., gaming data). In the gaming industry, thesystem configuration is what got approved and deployed as a gamingsystem. Any changes to the system make it non compliant.

Essentially, the server has a snap shot or image of all or a part of thedata contained on the client. The data may be data stored entirely orpartially on any type of client memory device including hard drive, RAM,ROM, etc. The term image as used herein is defined as a bit for bitduplicate of the same data even if the bits are not stored the same way(e.g., not order dependent). Typically every program or code gives adifferent view of the same bits and a different way of accessing andstoring the same bits. This is irrelevant as the executable is going torefer to the same bits no matter how they are stored or accessed (e.g.,looks at raw bits rather than a logical file system). Generallyspeaking, the server includes a database of all the images for thedifferent types of clients it manages.

Following block 152, the method proceeds to block 154 where anexecutable module is randomly and dynamically generated. The serverrandomly puts together and assembles a dynamic executable. The dynamicexecutable specifies the data to be checked as well as the algorithms touse when checking the data, and what order to process the data oralgorithms. The executable module is configured to be run using at leasta portion of the data of a particular system configuration. That is, oneor more subsets of the expected system configuration or the entireexpected system configuration may be used.

The executable is configured with one or more algorithms including hashfunctions and/or encryption algorithms. A hash function is configured togenerate a hash value or message digest from a string of text or code.The hash value is substantially smaller than the text itself and isgenerated by a formula in such a way that it is extremely unlikely thatsome other text will produce the same hash value. Any suitable hashfunction may be used in any suitable combination. In one embodiment, asingle algorithm (hash function) is applied to the entire data set ofthe expected system configuration. In another embodiment, multiplealgorithms (multiple hash functions) are applied to the entire data setof the expected system configuration. In another embodiment, the samealgorithm (same hash function) is applied to different data subsets ofthe expected system configuration. In another embodiment, differentalgorithms (different hash functions) are applied to different datasubsets of the expected system configuration. In yet another embodiment,algorithms (hash functions) may also be applied to the results ofvarious algorithms (hash functions) and so on.

Following block 154, the method proceeds to block 155 where theexecutable is run at the server using the stored system configuration toobtain a first outcome. Although shown occurring after block 154 andbefore block 156, it should be noted that this is not a limitation andthat block 155 may occur at other times including after receiving theoutcome from the client block 158.

Following block 155, the method proceeds to block 156 where theexecutable is sent to one or more clients having the particular systemconfiguration. In one embodiment, the executable is sent to all theclients having the particular system configuration. In anotherembodiment, the executable is only sent to a portion of the clientshaving the particular system configuration.

The executable is also encrypted to prevent anyone but the intendedrecipient from reading the executable. As is generally well known,encryption is the process of scrambling a message to ensure secrecy ofthat message. The message is encoded with an electronic key, which makesit undecipherable to anyone except the holder of the other half of theelectronic key (e.g., public key/private key). By way of example, theclient may contain the private key, which opens the executable encryptedwith the public key. Any suitable encryption technique may be used. Inone embodiment, Public key infrastructure (PKI) is used. PKI is asecurity management system including software, hardware, processes,policies, dedicated to the management of digital certificates for thepurposes of secure exchanges of electronic messages. PKI enables usersof basically unsecure public network to securely and privately exchangedata and money through the use of a public and private cryptographic keypair that is obtained and shared through a trusted authority.

Thereafter, in block 158, a determination is made as to whether a secondoutcome has been returned from the client(s). This determination istypically conducted within a preset amount of time in order to ensuresecurity. If the second outcome is not received within the preset amountof time, the method proceeds to block 160 where the client is consideredcompromised. If the outcome is received within the time limit, themethod proceeds to block 162 where the first outcome executed at theserver is compared with the second outcome executed at the client. Thisoperation is conducted for each client that was sent the executable. Ifthere is no match, the method proceeds to block 160. If there is amatch, the method proceeds to block 164 where the client is deemedtrustworthy (e.g., not compromised). In some cases, a response may besent to the client indicating that it is trustworthy and may proceedwith its operations.

Following block 160 where the client is considered compromised, themethod proceeds to block 166 where security measures are implemented.For example, a command may be sent to the client instructing the clientto stop operations, erase data, and the server may initiate an alarm.

FIG. 5 is a client side method 200 of checking the integrity of aclient, in accordance with one embodiment of the present invention. Themethod 200 generally begins at block 202 where the system configurationis provided at the client. This may for example be accomplished byinstalling and thereafter storing the configuration using standardgaming protocols. The system configuration typically includes runningprocesses, executables stored on persistent memory devices on or in themachine, etc.

Thereafter, in block 204, a dynamic executable is received at randomintervals from a hosting server. The executable is generated at theserver and is sent at randomly varying times. Furthermore, theexecutable is different each time it is received (e.g., dynamic). Theexecutable typically contains a plurality of different hashing andencryption algorithms, which are run on select parts or the entiresystem configuration.

Following block 204, the method proceeds to block 206 where theexecutable module is verified before execution. For example, when theserver generates the security code, it signs it with its private key.The client verifies the signature, thereby validating that code that wasin fact created by the server and that code has not been altered intransit. By way of example, standard encryption/decryption processessuch as PKI may be used.

The manner in which the code interacts with the client may be widelyvaried. In one implementation, the code asks the operating system of theclient to load it. In this instance, the code has some knowledge of howthe operating system works on the client. Further this could varybetween clients, i.e., between a handheld and a gaming machine ordifferent manufacturers of gaming machines. Thus, when the code isassembled on the host/server side, the server needs to take into accountthe type of operating system on the client. In another implementation,the client may know to automatically load and execute the code. Onceloaded, the security code has some knowledge of how to navigate its wayaround the client. It may be looking for particular information (files,data, etc.) in particular memories at particular locations (RAM, NV-RAM,EPROMS, hard rives, CD-ROMS, or other trusted memory sources). In eitherof these cases, some code resides on the client that verifies the codeprior to execution.

If the executable is not authentic, the client is deemed untrustworthy(e.g., someone may be trying to hack the system) and the method proceedsto block 208 where security measures are implemented. If the executableis authentic, the method proceeds to block 210 where the dynamicexecutable is temporarily stored at the client.

Following block 210, the method proceeds to block 212 where theexecutable module is run on the select portion of the systemconfiguration to obtain an outcome. In one embodiment, the security codeor dynamic executable is different from the gaming code, and is run withelevated privileges that provide read only access to system resourcesnecessary for performing the security checks.

The manner in which the code finds its way around the client may bewidely varied. In one implementation, the code negotiates with the OS ofthe client. In some cases, it uses system resources while in other casesit is autonomous with enough resources built in to do its job. Inanother implementation, the code accesses drivers directly. In such acases, it may be necessary (depending on the OS) to write custom driversthat allow the code to negotiate with associated drivers withoutcorrupting the internal state of the current OS. Generally speaking, themethod of doing its job typically varies from device to device.

The access given to the code may also be widely varied. Although theclient may provide unfettered access to the code, in most cases, theclient provides limited access to the code. For instance, the code maybe prevented from writing to certain memory or denied access toparticular memory such as NV-RAM that stores the amount of credits onthe gaming machine. It could also be prevented form writing to thismemory or other memories such as hard drive thus denying it the abilityto alter credit amounts on the gaming machine. It could also be allowedto execute only in special secure memory on the client that is isolatedfrom other memory in the client. In one example, only read only accessmay be provided unless the security code accessed the hardware directly.

Following block 212, the method proceeds to block 214 where the dynamicexecutable is deleted from the client. This typically occurs immediatelyafter the outcome is obtained. The executable may include instructionsfor deleting itself once the outcome is calculated.

Thereafter (or at the same time), in block 216 the outcome is sent tothe hosting server. In most cases, a response is received 218 from thehosting server regarding the outcome, which was returned to the hostingserver. The response generally indicates whether or not the client istrusted. If trusted, the method 200 proceeds to block 220 where standardclient operations are allowed to proceed. For example, gaming operationsmay be performed. If the client is not trusted, the method proceeds toblock 208 where security measures are implemented. For example, thegaming operations may be stopped, an alarm may be initiated and amessage may be displayed (e.g., please see attendant).

It should be noted that the order of blocks 214 and 216 is not alimitation and that the order may be switched depending on the needs ofthe system.

FIG. 6 is a method 250 of randomly and dynamically generating anexecutable module associated with testing the integrity of a remoteclient device, in accordance with one embodiment of the presentinvention. The method 250 may for example generally correspond to block154 described in FIG. 4. The method generally begins at block 252 wherea request to check a particular client (gaming device) is randomlygenerated. Although random, the request may be initiated between aminimum and maximum time limits.

Following block 252, the method 250 proceeds to block 254 where a systemconfiguration database is consulted. The system configuration databasecontains expected system configurations for one or more particularclients. As mentioned above, the expected system configuration may be acopy of the entire actual system configuration or some subset of theactual system configuration.

Following block 254, the method 250 proceeds to block 256 where data tobe checked is randomly selected from the expected system configurationof the particular client. The data may be all the data associated withthe expected system configuration or various subsets of the expectedsystem configuration.

Following block 256, the method proceeds to block 258 where an algorithmdatabase is consulted. The algorithm database contains a plurality ofhashing and verification algorithms that may be performed using theselected data.

Following block 258, the method proceeds to block 260 where one or morealgorithms to be performed on the select data to be checked are randomlyselected. In some cases, the selection may be independent of the data tobe checked. In other cases, the selection may be based entirely or inpart on the data to be checked. The selection may include encryption orPKI techniques for authenticating the executable module when received atthe client. The selection may also include selecting algorithms to runon the results of algorithms.

Following block 260, the method proceeds to block 262 where thealgorithms are compiled into an executable module. This may includedetermining the order and configuration in which the algorithms are runas well as which algorithms are run on which data subsets. Theexecutable module may also be compiled with other features including forexample instructions to delete itself after the outcome has beendetermined.

With regards to the Figures described above, the code that performs thechecks can be either an executable program or a section of code designedto be run by a security program residing on the client device to bechecked. In the case of an executable, the code would be a fullyfunctioning program in its own right that is designed to run with theappropriate privileges on the client target. In the case of a section ofcode to be run by a separate security program, the client would have apreinstalled security application that provides low level access tosystem resources (Disk, RAM, Registry entries, etc). This securityapplication would provide read-only access to said resources and wouldrun with elevated privileges.

The dynamically generated security checking code is composed ofalgorithms that select which parts of the client system are to beverified and algorithms that perform some sort of operation or action onthose selections. Thus a given dynamically generated security codeconsists of a set of one or more pairs of selectors and actions.Examples of actions include generating a hash code from a selection andforming a list from a selection. Examples of selections include lookingat registry entries, file system entries, memory resident processes,etc. It should be noted that anyone skilled in the art can see thathashing and listing are only examples of actions, and that other actionsare possible under this invention. The data that is returned to therequesting server will be formatted by the security code. The formatincludes a hash code that is generated by combining all of the requestedhash codes followed by any lists that were requested in the order thatthey were requested. The result would be encrypted before it wastransmitted back to the server.

The security checking code will make the requested selections byinteracting with low-level operating system APIs. It will perform therequested actions on the selections, and finally, it will form a resultand transmit the result back to the server.

FIG. 7 is a method 270 of generating a security code, in accordance withone embodiment of the present invention. The method 270 begins at block272 where a unique identifier is generated. Thereafter in block 274, theunique identifier is stored and associated with the target of thesecurity check. Following block 274, the method proceeds to block 276where a random decision is made as to the number of Selection/Actionpairs. In block 278, a Selector is randomly chosen. In block 280, aconfiguration for the Selector is randomly chosen. In block 282, anAction that can be paired with the chosen Selector is randomly chosen.In block 284, a configuration for the Action is randomly chosen.

Thereafter in block 286, source code that instantiates the chosenSelector and Action with the chosen configuration options is generated.In block 288, a decision is made as to whether or not the source codehas been generated for all Selector/Action pairs. If not, the methodproceeds back to block 278. If so, the method proceeds to block 290where source code that calls the Selectors and Actions to perform theiroperations and store their results for later use by the security code isgenerated.

Thereafter, in block 292, source code that combines all the results fromblock 290 into a return value which includes the unique identifier fromblock 272 is generated. In block 294, source code that will return theresult from block 292 to the server is generated. In block 296, thesource code is compiled into an executable program. Thereafter, in block298, the executable is signed with the servers private key.

FIG. 8 is a method 300 of initiating a check at a server, in accordancewith one embodiment of the present invention. The method 300 begins atblock 302 where security code is created. This block may for examplecorrespond to the method 270 described in FIG. 7. In block 304, thesecurity check is sent to the client. Thereafter, in block 306, aconfigured time interval is started. If a security check result isreceived during the configured time interval in block 308, the methodproceeds to block 310 where the security check is performed on localclient image. Thereafter, in block 312, the check results are compared.If there is a match, the system is secure as shown in block 314. Ifthere is no match or if a security check is not received during theconfigured time interval, there is a security violation as shown inblock 316. As should be appreciated, this diagram shows how the serverinitiates a check and details that there is an associated timer for thecheck to ensure it is completed in a timely fashion.

FIG. 9 is a method 350 of performing a security check, in accordancewith one embodiment of the present invention. The method may for examplebe performed on the server or the client. The method begins at block 352where a Selector is activated to Select Data. Thereafter in block 354,an Action is performed on the Selected Data. Thereafter in block 356,the Action Result is stored. Following block 356 a decision 358 is madeas to whether or not more Selector/Action pairs exist. If so, the method350 proceeds back to block 352. If not, the method 350 proceeds to block360 where a Result is created with stored Action Results (see forexample FIG. 10). Thereafter, in block 362, the Server Result is storedat the server or the Client Result is sent to the server. As should beappreciated, this diagram shows that multiple selector/action pairs maybe executed to create a final Result.

FIG. 10 is a method 380 of combining Selector/Action pairs to create asingle Result, in accordance with one embodiment of the presentinvention. The method 380 may for example correspond to the block 360 inFIG. 9. The method 380 begins at block 382 where Action Result type isdetermined. If a hash result, the method proceeds to block 384 where adecision is made as to whether the hash result is a first hash result.If so, the method proceeds to block 386 where the hash value is savedfor later. If not, the method proceeds to block 388 where hash is XORwith saved hash value from block 386. Referring back to block 382, if alist result, the method proceeds to block 390 where a decision is madeas to whether the list result is a first list result. If so, the methodproceeds to block 392 where the list value is saved for later. If not,the method proceeds to block 394 where the list result is appended withthe list data from block 392. Following blocks 386 and 392, the methodproceeds to block 396 where a determination is made as to whether thereare more Action results to process. If so, the method proceeds back toblock 382. If not, the method ends. As should be appreciated, thisdiagram shows how the results from selector action pairs are combined tocreate a single result. In essence, all hash values are combined, andthen appended with each list value. This combined result is then storedat or sent back to the server.

FIG. 11 is a block diagram of a gaming device 410, in accordance withone embodiment of the present invention. As used herein, gaming device410 refers to any device associated with game play including for examplereceiving credit, inputting data into a game, processing the results ofthe game, outputting both the game and the results of the game,recording the results of the game, monitoring the game, paying out thegame, and the like. The gaming device 410 may for example be a gamingmachine, a handheld portable game player, a ticket validation device,and/or the like.

The gaming device 410 typically includes a processor or controller 412that carries out operations associated with the gaming device 410. Theprocessor 412 operates to executes code and produce and use data. Thecode and data 413 may for example include log files 413A, operatingsystems 413B, communication code 413C, gaming code and data 413D, andthe like.

The code and data 413 may reside within memory block 414 that isoperatively coupled to the processor 412. The memory block 414 generallyprovides a place to hold data and code that is being used by the gamingdevice 410. The memory block 414 may include one or more memorycomponents including non volatile memory components 414A such as ROM orflash memory, volatile memory components 414B such as RAM (in any of itsvarious forms), and/or a hard drive 414C. The memory block 414 may alsoinclude removable media 414D such as CDs, DVDs, floppy's, magnetic tape,etc. The memory block 414 may also include memory components locatedover a network.

The gaming code or data 413D may include the gaming logic (all the logicfor determining financials, whether a win or loss, amount of win, randomnumbers, etc.). The gaming data or code 413D may also include gamingstate or history. The gaming data or code 413D may also include nongaming logic such as code for performing outputs and receiving inputsassociated with the game being played (e.g., the code used to displaythe game and the results of the game).

All or a portion of the gaming code and data 413D may be stored in oneor more of these memory components 414A-D. For example, the gaming codeand data 413D may be stored entirely in one memory component such ashard drive 414C, RAM 414B or flash memory 414A. Alternatively, thegaming code and data 413 may be spread across multiple memory components414. For example, a first portion may be stored in a first memorycomponent, and a second portion may be stored in a second memorycomponent. Additionally, a third portion may be stored in a third memorycomponent and so on.

In one particular embodiment, the gaming code and data 413 is stored onthe hard drive 414C. In fact, the hard drive 414C may be partitionedinto multiple partitions where the operating system 413B resides on onepartition, the gaming data and code 413D including for exampleexecutable files, binaries and resources, reside on another partition, athird partition serves as a place for writing log entries 413A, and afourth partition contains communication code 413C designed to maintaincontact with external systems such as peripherals, hosts, servers, etc.

In another particular embodiment, the gaming code and data 413 is storedin RAM 414B. For example, the hard drive 414C may contain the operatingsystem 413B, log files 413A and communication code 413C, and the gamingdata and code 413D may be downloaded from a server system at run timeand stored in volatile memory.

In yet another particular embodiment, various portions of gaming codeand data 413D is stored in both the hard drive 414C and RAM 414B. Forexample, a first portion of the gaming code and data 413D may be storedin the hard drive 414C, and a second portion of the gaming code and data413D may be stored in RAM 414B.

The gaming device 410 also includes a communication interface 418 thatis operatively coupled to the processor 412. The communication interface418 provides a means to communicate with a external devices 420 such asserver systems, peripherals, hosts, and/or the like via a data link 422provided over a wired or wireless connection. The communicationinterface 418 may for example utilize the communication code 413C storedin memory 4314. In the case of a wireless connection, the communicationinterface 418 may include a transceiver and an antenna. Also, thecommunication interface 420 can use various wireless communicationprotocols including for example IEEE 802.11a, IEEE 802.11b, IEEE802.11x, hyperlan/2, Bluetooth, HomeRF, etc.

The gaming device 410 also includes one or more input devices 426 thatare operatively coupled to the processor 412. The input devices 426allow a user to interact with the gaming device 410. For example, theyallow a user to input data into the gaming device 410. The input devices426 may take a variety of forms including for example buttons, switches,wheels, dials, keys, keypads, navigation pads, joysticks, levers, touchscreens, touch pads, microphone, mouse, trackball, bill receptors, etc.

The gaming device 410 also includes one or more output devices 428 thatare operatively coupled to the processor 412. The output devices 428allow the gaming device 410 to interact with the user. For example, theyallow the gaming device to output data associated with the game to theuser. The output devices 428 may take a variety of forms including forexample a display, speakers (or headset), indicator lights, displaylights, printers, physical reels, etc.

In one embodiment, the gaming device 410 typically includes a display430 such as a CRT display or LCD display for displaying a graphical userinterface GUI. The GUI provides an easy to use interface between a userof the gaming device 310 and the operating system or applications (e.g.,games) running thereon. Generally speaking, the GUI represents,programs, files and various selectable options with graphical images.The GUI can additionally or alternatively display information, such asnon interactive text and graphics, for the user of the gaming device. Inthe case of a gaming machine or game player, the GUI may include thevarious features of the game being played thereon. Alternatively oradditionally, the gaming device may include a physically reel slot.

The configuration of input and output devices 426 and 428 may varyaccording to the type of gaming device 410, and if a gaming machine orgame player, the game or games being played thereon. Each game may havea set of dedicated inputs and outputs or multiple games may utilize thesame inputs and outputs.

As mentioned above, the gaming device 410 can be widely varied. In oneembodiment, the gaming device 410 is embodied as a gaming machine. Incases such as this, typically all the gaming data and code 413D isstored on memory 414 in the gaming device 410.

In another embodiment, the gaming device 410 is embodied as a handheldgame player. In most cases, the handheld game player is in communicationwith a server system 420 such as a gaming machine or gaming server via awireless network (such that the handheld game player is an extension ofthe gaming machine or gaming server). The gaming machine or gamingserver 420 typically includes the gaming logic and gaming history of thegaming data or code 413D while the handheld game player includes the I/Oaspects of the gaming code and data 413D. That is, the handheld gameplayer is a remote I/O terminal that a user carries around to physicallyplay a game remotely or away from the location where the game isactually being played electronically (server system). It should be notedhowever that this is not a limitation and that in some circumstances thehandheld game player may include some or all aspects of the gaming logicand/or gaming history.

Alternatively, the gaming device 410 may be embodied as a peripheralgaming device such as a ticket validation device.

Examples of gaming machines and game players can be found in U.S. Pat.No. 6,846,238, which is herein incorporated by reference.

The inventions described herein have a number of advantages over thestate of the art. Few deployed systems have any sort of ongoing systemconfiguration integrity checks. Even in cases where they do, they aregenerally only partial checks (e.g., the networking configuration checksperformed by Microsoft Windows family of operating systems that are partof its license enforcement scheme). Further, the existing checks of thissort rely on fixed code that is compiled and deployed as a permanentcomponent of the system being checked. This makes such configurationchecking code susceptible to reverse engineering, subversion throughbeing modified or replaced in situ.

The method described herein mitigates these problems and vulnerabilitiesby 1) shortening the window during which the checking code can beexamined and potentially subverted to that in which it is actuallydownloaded and executing on the target system and 2) changing themechanism by which the check is performed each time it is downloaded andexecuted. The result is significant enhancement to the reliability andsecurity of the system configuration integrity check performed usingthis method.

Although the methods described above are directed at server/clientmodel, it should be noted that this is done by way of example and not byway of limitation. The methods may be applied to models other thanserver/client.

The invention is preferably implemented by hardware, software or acombination of hardware and software. The software can also be embodiedas computer readable code on a computer readable medium. The computerreadable medium is any data storage device that can store data which canthereafter be read by a computer system. Examples of the computerreadable medium include read-only memory, random-access memory, CD-ROMs,DVDs, magnetic tape, optical data storage devices, and carrier waves.The computer readable medium can also be distributed overnetwork-coupled computer systems so that the computer readable code isstored and executed in a distributed fashion.

The present invention may be practiced on a wide range of gaming machinedesigns. For example gaming machines with top boxes or player trackingfeatures, gaming machines with only a single game display (mechanical,video), gaming machines designed for bar tables (face upwards).

The present invention may also be practiced in designs that include ahost computer that generates a game and remote terminal or remote gamingdevice that displays the game and receives inputs associated with thegame. The remote gaming device may for example be connected to the hostcomputer via a network such as a local area network, a wide areanetwork, an intranet or the internet. Furthermore, they may be connectedvia a wired or wireless connection. The host computer may be a gameserver or a gaming machine situated on a casino floor. The remote gamingdevice may be a gaming machine situated on the floor of a casino thatcommunicates with a game server or alternatively a portable device suchas but not limited to cell phones, PDA, Laptop, or wireless game playerthat communicate with a game server and/or a gaming machine.

FIG. 12 is a perspective view of an exemplary gaming machine 502 thatmay be used to implement the various aspects of the present invention.As illustrated in FIG. 1, gaming machine 502 includes a main cabinet504, which generally surrounds the machine interior and is viewable byusers. The main cabinet 504 includes a main door 508 on the front of themachine 502, which opens to provide access to the interior of themachine 502. Attached to the main door 508 are player-input switches orbuttons 532, a coin acceptor 528, and a bill validator 530, a coin tray538, and a belly glass 540. Viewable through the main door 508 is avideo display monitor 534 and an information panel 536. The displaymonitor 534 will typically be a cathode ray tube, high resolutionflat-panel LCD, or other conventional electronically controlled videomonitor. The information panel 536 may be a back-lit, silk screenedglass panel with lettering to indicate general game informationincluding, for example, a game denomination (e.g. $0.25 or $1). The billvalidator 530, player-input switches 532, video display monitor 534, andinformation panel are devices used to play a game on the game machine502. According to a specific embodiment, the devices may be controlledby code executed by a master gaming controller housed inside the maincabinet 504 of the machine 502. In specific embodiments where it may berequired that the code be periodically configured and/or authenticatedin a secure manner, the technique of the present invention may be usedfor accomplishing such tasks.

Many different types of games, including mechanical slot games, videoslot games, video poker, video black jack, video pachinko and lottery,may be provided with gaming machines of this invention. In particular,the gaming machine 402 may be operable to provide a play of manydifferent instances of games of chance. The instances may bedifferentiated according to themes, sounds, graphics, type of game(e.g., slot game vs. card game), denomination, number of paylines,maximum jackpot, progressive or non-progressive, bonus games, etc. Thegaming machine 402 may be operable to allow a player to select a game ofchance to play from a plurality of instances available on the gamingmachine. For example, the gaming machine may provide a menu with a listof the instances of games that are available for play on the gamingmachine and a player may be able to select from the list a firstinstance of a game of chance that they wish to play.

The various instances of games available for play on the gaming machine502 may be stored as game software on a mass storage device in thegaming machine or may be generated on a remote gaming device but thendisplayed on the gaming machine. The gaming machine 502 may executedgame software, such as but not limited to video streaming software thatallows the game to be displayed on the gaming machine. When an instanceis stored on the gaming machine 502, it may be loaded from the massstorage device into a RAM for execution. In some cases, after aselection of an instance, the game software that allows the selectedinstance to be generated may be downloaded from a remote gaming device,such as another gaming machine.

As illustrated in FIG. 12, the gaming machine 502 includes a top box506, which sits on top of the main cabinet 504. The top box 506 houses anumber of devices, which may be used to add features to a game beingplayed on the gaming machine 502, including speakers 510, 512, 514, aticket printer 518 which prints bar-coded tickets 520, a key pad 522 forentering player tracking information, a florescent display 516 fordisplaying player tracking information, a card reader 524 for entering amagnetic striped card containing player tracking information, and avideo display screen 545. The ticket printer 518 may be used to printtickets for a cashless ticketing system. Further, the top box 506 mayhouse different or additional devices not illustrated in FIG. 12. Forexample, the top box may include a bonus wheel or a back-lit silkscreened panel which may be used to add bonus features to the game beingplayed on the gaming machine. As another example, the top box mayinclude a display for a progressive jackpot offered on the gamingmachine. During a game, these devices are controlled and powered, inpart, by circuitry (e.g. a master gaming controller) housed within themain cabinet 504 of the machine 502.

It will be appreciated that gaming machine 502 is but one example from awide range of gaming machine designs on which the present invention maybe implemented. For example, not all suitable gaming machines have topboxes or player tracking features. Further, some gaming machines haveonly a single game display—mechanical or video, while others aredesigned for bar tables and have displays that face upwards. As anotherexample, a game may be generated in on a host computer and may bedisplayed on a remote terminal or a remote gaming device. The remotegaming device may be connected to the host computer via a network ofsome type such as a local area network, a wide area network, an intranetor the Internet. The remote gaming device may be a portable gamingdevice such as but not limited to a cell phone, a personal digitalassistant, and a wireless game player. Images rendered from 3-D gamingenvironments may be displayed on portable gaming devices that are usedto play a game of chance. Further a gaming machine or server may includegaming logic for commanding a remote gaming device to render an imagefrom a virtual camera in a 3-D gaming environments stored on the remotegaming device and to display the rendered image on a display located onthe remote gaming device. Thus, those of skill in the art willunderstand that the present invention, as described below, can bedeployed on most any gaming machine now available or hereafterdeveloped.

Some preferred gaming machines of the present assignee are implementedwith special features and/or additional circuitry that differentiatesthem from general-purpose computers (e.g., desktop PC's and laptops).Gaming machines are highly regulated to ensure fairness and, in manycases, gaming machines are operable to dispense monetary awards ofmultiple millions of dollars. Therefore, to satisfy security andregulatory requirements in a gaming environment, hardware and softwarearchitectures may be implemented in gaming machines that differsignificantly from those of general-purpose computers. A description ofgaming machines relative to general-purpose computing machines and someexamples of the additional (or different) components and features foundin gaming machines are described below.

At first glance, one might think that adapting PC technologies to thegaming industry would be a simple proposition because both PCs andgaming machines employ microprocessors that control a variety ofdevices. However, because of such reasons as 1) the regulatoryrequirements that are placed upon gaming machines, 2) the harshenvironment in which gaming machines operate, 3) security requirementsand 4) fault tolerance requirements, adapting PC technologies to agaming machine can be quite difficult. Further, techniques and methodsfor solving a problem in the PC industry, such as device compatibilityand connectivity issues, might not be adequate in the gamingenvironment. For instance, a fault or a weakness tolerated in a PC, suchas security holes in software or frequent crashes, may not be toleratedin a gaming machine because in a gaming machine these faults can lead toa direct loss of funds from the gaming machine, such as stolen cash orloss of revenue when the gaming machine is not operating properly.

For the purposes of illustration, a few differences between PC systemsand gaming systems will be described. A first difference between gamingmachines and common PC based computers systems is that gaming machinesare designed to be state-based systems. In a state-based system, thesystem stores and maintains its current state in a non-volatile memory,such that, in the event of a power failure or other malfunction thegaming machine will return to its current state when the power isrestored. For instance, if a player was shown an award for a game ofchance and, before the award could be provided to the player the powerfailed, the gaming machine, upon the restoration of power, would returnto the state where the award is indicated. As anyone who has used a PC,knows, PCs are not state machines and a majority of data is usually lostwhen a malfunction occurs. This requirement affects the software andhardware design on a gaming machine.

A second important difference between gaming machines and common PCbased computer systems is that for regulation purposes, the software onthe gaming machine used to generate the game of chance and operate thegaming machine has been designed to be static and monolithic to preventcheating by the operator of gaming machine. For instance, one solutionthat has been employed in the gaming industry to prevent cheating andsatisfy regulatory requirements has been to manufacture a gaming machinethat can use a proprietary processor running instructions to generatethe game of chance from an EPROM or other form of non-volatile memory.The coding instructions on the EPROM are static (non-changeable) andmust be approved by a gaming regulators in a particular jurisdiction andinstalled in the presence of a person representing the gamingjurisdiction. Any changes to any part of the software required togenerate the game of chance, such as adding a new device driver used bythe master gaming controller to operate a device during generation ofthe game of chance can require a new EPROM to be burnt, approved by thegaming jurisdiction and reinstalled on the gaming machine in thepresence of a gaming regulator. Regardless of whether the EPROM solutionis used, to gain approval in most gaming jurisdictions, a gaming machinemust demonstrate sufficient safeguards that prevent an operator orplayer of a gaming machine from manipulating hardware and software in amanner that gives them an unfair and some cases an illegal advantage.The gaming machine should have a means to determine if the code it willexecute is valid. If the code is not valid, the gaming machine must havea means to prevent the code from being executed. The code validationrequirements in the gaming industry affect both hardware and softwaredesigns on gaming machines.

A third important difference between gaming machines and common PC basedcomputer systems is the number and kinds of peripheral devices used on agaming machine are not as great as on PC based computer systems.Traditionally, in the gaming industry, gaming machines have beenrelatively simple in the sense that the number of peripheral devices andthe number of functions the gaming machine has been limited. Further, inoperation, the functionality of gaming machines were relatively constantonce the gaming machine was deployed, i.e., new peripherals devices andnew gaming software were infrequently added to the gaming machine. Thisdiffers from a PC where users will go out and buy different combinationsof devices and software from different manufacturers and connect them toa PC to suit their needs depending on a desired application. Therefore,the types of devices connected to a PC may vary greatly from user touser depending in their individual requirements and may varysignificantly over time.

Although the variety of devices available for a PC may be greater thanon a gaming machine, gaming machines still have unique devicerequirements that differ from a PC, such as device security requirementsnot usually addressed by PCs. For instance, monetary devices, such ascoin dispensers, bill validators and ticket printers and computingdevices that are used to govern the input and output of cash to a gamingmachine have security requirements that are not typically addressed inPCs. Therefore, many PC techniques and methods developed to facilitatedevice connectivity and device compatibility do not address the emphasisplaced on security in the gaming industry.

To address some of the issues described above, a number ofhardware/software components and architectures are utilized in gamingmachines that are not typically found in general purpose computingdevices, such as PCs. These hardware/software components andarchitectures, as described below in more detail, include but are notlimited to watchdog timers, voltage monitoring systems, state-basedsoftware architecture and supporting hardware, specialized communicationinterfaces, security monitoring and trusted memory.

For example, a watchdog timer is normally used in International GameTechnology (IGT) gaming machines to provide a software failure detectionmechanism. In a normally operating system, the operating softwareperiodically accesses control registers in the watchdog timer subsystemto “re-trigger” the watchdog. Should the operating software fail toaccess the control registers within a preset timeframe, the watchdogtimer will timeout and generate a system reset. Typical watchdog timercircuits include a loadable timeout counter register to allow theoperating software to set the timeout interval within a certain range oftime. A differentiating feature of the some preferred circuits is thatthe operating software cannot completely disable the function of thewatchdog timer. In other words, the watchdog timer always functions fromthe time power is applied to the board.

IGT gaming computer platforms preferably use several power supplyvoltages to operate portions of the computer circuitry. These can begenerated in a central power supply or locally on the computer board. Ifany of these voltages falls out of the tolerance limits of the circuitrythey power, unpredictable operation of the computer may result. Thoughmost modern general-purpose computers include voltage monitoringcircuitry, these types of circuits only report voltage status to theoperating software. Out of tolerance voltages can cause softwaremalfunction, creating a potential uncontrolled condition in the gamingcomputer. Gaming machines of the present assignee typically have powersupplies with tighter voltage margins than that required by theoperating circuitry. In addition, the voltage monitoring circuitryimplemented in IGT gaming computers typically has two thresholds ofcontrol. The first threshold generates a software event that can bedetected by the operating software and an error condition generated.This threshold is triggered when a power supply voltage falls out of thetolerance range of the power supply, but is still within the operatingrange of the circuitry. The second threshold is set when a power supplyvoltage falls out of the operating tolerance of the circuitry. In thiscase, the circuitry generates a reset, halting operation of thecomputer.

The standard method of operation for IGT slot machine game software isto use a state machine. Different functions of the game (bet, play,result, points in the graphical presentation, etc.) may be defined as astate. When a game moves from one state to another, critical dataregarding the game software is stored in a custom non-volatile memorysubsystem. This is critical to ensure the player's wager and credits arepreserved and to minimize potential disputes in the event of amalfunction on the gaming machine.

In general, the gaming machine does not advance from a first state to asecond state until critical information that allows the first state tobe reconstructed is stored. This feature allows the game to recoveroperation to the current state of play in the event of a malfunction,loss of power, etc that occurred just prior to the malfunction. Afterthe state of the gaming machine is restored during the play of a game ofchance, game play may resume and the game may be completed in a mannerthat is no different than if the malfunction had not occurred.Typically, battery backed RAM devices are used to preserve this criticaldata although other types of non-volatile memory devices may beemployed. These memory devices are not used in typical general-purposecomputers.

As described in the preceding paragraph, when a malfunction occursduring a game of chance, the gaming machine may be restored to a statein the game of chance just prior to when the malfunction occurred. Therestored state may include metering information and graphicalinformation that was displayed on the gaming machine in the state priorto the malfunction. For example, when the malfunction occurs during theplay of a card game after the cards have been dealt, the gaming machinemay be restored with the cards that were previously displayed as part ofthe card game. As another example, a bonus game may be triggered duringthe play of a game of chance where a player is required to make a numberof selections on a video display screen. When a malfunction has occurredafter the player has made one or more selections, the gaming machine maybe restored to a state that shows the graphical presentation at the justprior to the malfunction including an indication of selections that havealready been made by the player. In general, the gaming machine may berestored to any state in a plurality of states that occur in the game ofchance that occurs while the game of chance is played or to states thatoccur between the play of a game of chance.

Game history information regarding previous games played such as anamount wagered, the outcome of the game and so forth may also be storedin a non-volatile memory device. The information stored in thenon-volatile memory may be detailed enough to reconstruct a portion ofthe graphical presentation that was previously presented on the gamingmachine and the state of the gaming machine (e.g., credits) at the timethe game of chance was played. The game history information may beutilized in the event of a dispute. For example, a player may decidethat in a previous game of chance that they did not receive credit foran award that they believed they won. The game history information maybe used to reconstruct the state of the gaming machine prior, duringand/or after the disputed game to demonstrate whether the player wascorrect or not in their assertion. Further details of a state basedgaming system, recovery from malfunctions and game history are describedin U.S. Pat. No. 6,804,763, titled “High Performance Battery Backed RAMInterface”, U.S. Pat. No. 6,863,608, titled “Frame Capture of ActualGame Play,” U.S. application Ser. No. 10/243,104, titled, “DynamicNV-RAM,” and U.S. application Ser. No. 10/758,828, titled, “FrameCapture of Actual Game Play,” each of which is incorporated by referenceand for all purposes.

Another feature of gaming machines, such as IGT gaming computers, isthat they often include unique interfaces, including serial interfaces,to connect to specific subsystems internal and external to the slotmachine. The serial devices may have electrical interface requirementsthat differ from the “standard” EIA 232 serial interfaces provided bygeneral-purpose computers. These interfaces may include EIA 485, EIA422, Fiber Optic Serial, optically coupled serial interfaces, currentloop style serial interfaces, etc. In addition, to conserve serialinterfaces internally in the slot machine, serial devices may beconnected in a shared, daisy-chain fashion where multiple peripheraldevices are connected to a single serial channel.

The serial interfaces may be used to transmit information usingcommunication protocols that are unique to the gaming industry. Forexample, IGT's Netplex is a proprietary communication protocol used forserial communication between gaming devices. As another example, SAS isa communication protocol used to transmit information, such as meteringinformation, from a gaming machine to a remote device. Often SAS is usedin conjunction with a player tracking system.

IGT gaming machines may alternatively be treated as peripheral devicesto a casino communication controller and connected in a shared daisychain fashion to a single serial interface. In both cases, theperipheral devices are preferably assigned device addresses. If so, theserial controller circuitry must implement a method to generate ordetect unique device addresses. General-purpose computer serial portsare not able to do this.

Security monitoring circuits detect intrusion into an IGT gaming machineby monitoring security switches attached to access doors in the slotmachine cabinet. Preferably, access violations result in suspension ofgame play and can trigger additional security operations to preserve thecurrent state of game play. These circuits also function when power isoff by use of a battery backup. In power-off operation, these circuitscontinue to monitor the access doors of the slot machine. When power isrestored, the gaming machine can determine whether any securityviolations occurred while power was off, e.g., via software for readingstatus registers. This can trigger event log entries and further dataauthentication operations by the slot machine software.

Trusted memory devices and/or trusted memory sources are preferablyincluded in an IGT gaming machine computer to ensure the authenticity ofthe software that may be stored on less secure memory subsystems, suchas mass storage devices. Trusted memory devices and controllingcircuitry are typically designed to not allow modification of the codeand data stored in the memory device while the memory device isinstalled in the slot machine. The code and data stored in these devicesmay include authentication algorithms, random number generators,authentication keys, operating system kernels, etc. The purpose of thesetrusted memory devices is to provide gaming regulatory authorities aroot trusted authority within the computing environment of the slotmachine that can be tracked and verified as original. This may beaccomplished via removal of the trusted memory device from the slotmachine computer and verification of the secure memory device contentsis a separate third party verification device. Once the trusted memorydevice is verified as authentic, and based on the approval of theverification algorithms included in the trusted device, the gamingmachine is allowed to verify the authenticity of additional code anddata that may be located in the gaming computer assembly, such as codeand data stored on hard disk drives. A few details related to trustedmemory devices that may be used in the present invention are describedin U.S. Pat. No. 6,685,567, filed Aug. 8, 2001 and titled “ProcessVerification,” and U.S. patent application Ser. No. 11/221,314, titled“Data Pattern Verification in a Gaming Machine Environment,” filed Sep.6, 2005, each of which is incorporated herein by reference in itsentirety and for all purposes.

In at least one embodiment, at least a portion of the trusted memorydevices/sources may correspond to memory which cannot easily be altered(e.g., “unalterable memory”) such as, for example, EPROMS, PROMS, Bios,Extended Bios, and/or other memory sources which are able to beconfigured, verified, and/or authenticated (e.g., for authenticity) in asecure and controlled manner.

According to a specific implementation, when a trusted informationsource is in communication with a remote device via a network, theremote device may employ a verification scheme to verify the identity ofthe trusted information source. For example, the trusted informationsource and the remote device may exchange information using public andprivate encryption keys to verify each other's identities. In anotherembodiment of the present invention, the remote device and the trustedinformation source may engage in methods using zero knowledge proofs toauthenticate each of their respective identities. Details of zeroknowledge proofs that may be used with the present invention aredescribed in US publication no. 2003/0203756, by Jackson, filed on Apr.25, 2002 and entitled, “Authentication in a Secure Computerized GamingSystem”, which is incorporated herein in its entirety and for allpurposes.

Gaming devices storing trusted information may utilize apparatus ormethods to detect and prevent tampering. For instance, trustedinformation stored in a trusted memory device may be encrypted toprevent its misuse. In addition, the trusted memory device may besecured behind a locked door. Further, one or more sensors may becoupled to the memory device to detect tampering with the memory deviceand provide some record of the tampering. In yet another example, thememory device storing trusted information might be designed to detecttampering attempts and clear or erase itself when an attempt attampering has been detected.

Additional details relating to trusted memory devices/sources aredescribed in U.S. patent application Ser. No. 11/078,966, entitled“SECURED VIRTUAL NETWORK IN A GAMING ENVIRONMENT”, naming Nguyen et al.as inventors, filed on Mar. 10, 2005, herein incorporated in itsentirety and for all purposes.

Mass storage devices used in a general purpose computer typically allowcode and data to be read from and written to the mass storage device. Ina gaming machine environment, modification of the gaming code stored ona mass storage device is strictly controlled and would only be allowedunder specific maintenance type events with electronic and physicalenablers required. Though this level of security could be provided bysoftware, IGT gaming computers that include mass storage devicespreferably include hardware level mass storage data protection circuitrythat operates at the circuit level to monitor attempts to modify data onthe mass storage device and will generate both software and hardwareerror triggers should a data modification be attempted without theproper electronic and physical enablers being present. Details using amass storage device that may be used with the present invention aredescribed, for example, in U.S. Pat. No. 6,149,522, herein incorporatedby reference in its entirety for all purposes.

Returning to the example of FIG. 12, when a user wishes to play thegaming machine 502, he or she inserts cash through the coin acceptor 528or bill validator 530. Additionally, the bill validator may accept aprinted ticket voucher which may be accepted by the bill validator 530as an indicia of credit when a cashless ticketing system is used. At thestart of the game, the player may enter playing tracking informationusing the card reader 524, the keypad 522, and the florescent display516. Further, other game preferences of the player playing the game maybe read from a card inserted into the card reader. During the game, theplayer views game information using the video display 534. Other gameand prize information may also be displayed in the video display screen545 located in the top box.

During the course of a game, a player may be required to make a numberof decisions, which affect the outcome of the game. For example, aplayer may vary his or her wager on a particular game, select a prizefor a particular game selected from a prize server, or make gamedecisions which affect the outcome of a particular game. The player maymake these choices using the player-input switches 532, the videodisplay screen 534 or using some other device which enables a player toinput information into the gaming machine. In some embodiments, theplayer may be able to access various game services such as conciergeservices and entertainment content services using the video displayscreen 534 and one more input devices.

During certain game events, the gaming machine 502 may display visualand auditory effects that can be perceived by the player. These effectsadd to the excitement of a game, which makes a player more likely tocontinue playing. Auditory effects include various sounds that areprojected by the speakers 510, 512, 514. Visual effects include flashinglights, strobing lights or other patterns displayed from lights on thegaming machine 502 or from lights behind the belly glass 540. After theplayer has completed a game, the player may receive game tokens from thecoin tray 538 or the ticket 520 from the printer 518, which may be usedfor further games or to redeem a prize. Further, the player may receivea ticket 520 for food, merchandise, or games from the printer 518.

FIG. 13 is a simplified block diagram of an exemplary gaming machine 600that may be used to implement the various aspects of the presentinvention. As illustrated in FIG. 13, gaming machine 600 includes atleast one processor 610, at least one interface 606, and memory 616.

In one implementation, processor 610 and master gaming controller 612are included in a logic device 613 enclosed in a logic device housing.The processor 610 may include any conventional processor or logic deviceconfigured to execute software allowing various configuration andreconfiguration tasks such as, for example: a) communicating with aremote source via communication interface 606, such as a server thatstores authentication information or games; b) converting signals readby an interface to a format corresponding to that used by software ormemory in the gaming machine; c) accessing memory to configure orreconfigure game parameters in the memory according to indicia read fromthe device; d) communicating with interfaces, various peripheral devices622 and/or I/O devices 611; e) operating peripheral devices 622 such as,for example, card reader 625 and paper ticket reader 627; f) operatingvarious I/O devices such as, for example, display 635, key pad 630 and alight panel 616; etc. For instance, the processor 610 may send messagesincluding configuration and reconfiguration information to the display635 to inform casino personnel of configuration progress. As anotherexample, the logic device 613 may send commands to the light panel 637to display a particular light pattern and to the speaker 639 to projecta sound to visually and aurally convey configuration information orprogress. Light panel 637 and speaker 639 may also be used tocommunicate with authorized personnel for authentication and securitypurposes.

Peripheral devices 622 may include several device interfaces such as,for example: card reader 625, bill validator/paper ticket reader 627,hopper 629, etc. Card reader 625 and bill validator/paper ticket reader627 may each comprise resources for handling and processingconfiguration indicia such as a microcontroller that converts voltagelevels for one or more scanning devices to signals provided to processor610. In one embodiment, application software for interfacing withperipheral devices 622 may store instructions (such as, for example, howto read indicia from a portable device) in a memory device such as, forexample, non-volatile memory, hard drive or a flash memory.

The gaming machine 600 also includes memory 616 which may include, forexample, volatile memory (e.g., RAM 609), non-volatile memory 619 (e.g.,FLASH memory, EPROMs, battery backed RAM, etc.), unalterable memory(e.g., EPROMs 608), alternate storage 6517 (e.g., non-volatile memoryimplemented using disk drive(s), flash memory, remote storage, etc.),etc. The memory may be configured or designed to store, for example: 1)configuration software 614 such as all the parameters and settings for agame playable on the gaming machine; 2) associations 618 betweenconfiguration indicia read from a device with one or more parameters andsettings; 3) communication protocols allowing the processor 610 tocommunicate with peripheral devices 622 and I/O devices 611; 4) asecondary memory storage device 615 such as a non-volatile memorydevice, configured to store gaming software related information (thegaming software related information and memory may be used to storevarious audio files and games not currently being used and invoked in aconfiguration or reconfiguration); 5) communication transport protocols(such as, for example, TCP/IP, USB, Firewire, IEEE1394, Bluetooth, IEEE802.11x (IEEE 802.11 standards), hiperlan/2, HomeRF, etc.) for allowingthe gaming machine to communicate with local and non-local devices usingsuch protocols; etc. Typically, the master gaming controller 612communicates using a serial communication protocol. A few examples ofserial communication protocols that may be used to communicate with themaster gaming controller include but are not limited to USB, RS-232 andNetplex (a proprietary protocol developed by IGT, Reno, Nev.).

A plurality of device drivers 642 may be stored in memory 616. Exampleof different types of device drivers may include device drivers forgaming machine components, device drivers for peripheral components 622,etc. Typically, the device drivers 642 utilize a communication protocolof some type that enables communication with a particular physicaldevice. The device driver abstracts the hardware implementation of adevice. For example, a device drive may be written for each type of cardreader that may be potentially connected to the gaming machine. Examplesof communication protocols used to implement the device drivers 659include Netplex 660, USB 665, Serial 670, Ethernet 675, Firewire 685,I/O debouncer 690, direct memory map, serial, PCI 680 or parallel.Netplex is a proprietary IGT standard while the others are openstandards. According to a specific embodiment, when one type of aparticular device is exchanged for another type of the particulardevice, a new device driver may be loaded from the memory 616 by theprocessor 610 to allow communication with the device. For instance, onetype of card reader in gaming machine 60 may be replaced with a secondtype of card reader where device drivers for both card readers arestored in the memory 616.

In some embodiments, the gaming machine 600 may also include variousauthentication and/or validation components 644 which may be used forauthenticating/validating specified gaming machine components such as,for example, hardware components, software components, firmwarecomponents, information stored in the gaming machine memory 616, etc.Examples of various authentication and/or validation components aredescribed in U.S. Pat. No. 6,620,047, entitled, “ELECTRONIC GAMINGAPPARATUS HAVING AUTHENTICATION DATA SETS,” incorporated herein byreference in its entirety for all purposes.

In some embodiments, the software units stored in the memory 616 may beupgraded as needed. For instance, when the memory 616 is a hard drive,new games, game options, various new parameters, new settings forexisting parameters, new settings for new parameters, device drivers,and new communication protocols may be uploaded to the memory from themaster gaming controller 604 or from some other external device. Asanother example, when the memory 616 includes a CD/DVD drive including aCD/DVD designed or configured to store game options, parameters, andsettings, the software stored in the memory may be upgraded by replacinga first CD/DVD with a second CD/DVD. In yet another example, when thememory 616 uses one or more flash memory 619 or EPROM 608 units designedor configured to store games, game options, parameters, settings, thesoftware stored in the flash and/or EPROM memory units may be upgradedby replacing one or more memory units with new memory units whichinclude the upgraded software. In another embodiment, one or more of thememory devices, such as the hard-drive, may be employed in a gamesoftware download process from a remote software server.

It will be apparent to those skilled in the art that other memory types,including various computer readable media, may be used for storing andexecuting program instructions pertaining to the operation of thepresent invention. Because such information and program instructions maybe employed to implement the systems/methods described herein, thepresent invention relates to machine-readable media that include programinstructions, state information, etc. for performing various operationsdescribed herein. Examples of machine-readable media include, but arenot limited to, magnetic media such as hard disks, floppy disks, andmagnetic tape; optical media such as CD-ROM disks; magneto-optical mediasuch as floptical disks; and hardware devices that are speciallyconfigured to store and perform program instructions, such as read-onlymemory devices (ROM) and random access memory (RAM). The invention mayalso be embodied in a carrier wave traveling over an appropriate mediumsuch as airwaves, optical lines, electric lines, etc. Examples ofprogram instructions include both machine code, such as produced by acompiler, and files including higher level code that may be executed bythe computer using an interpreter.

Additional details about other gaming machine architectures, featuresand/or components are described, for example, in U.S. patent applicationSer. No. 10/040,239, entitled, “GAME DEVELOPMENT ARCHITECTURE THATDECOUPLES THE GAME LOGIC FROM THE GRAPHICS LOGIC,” and published on Apr.24, 2003 as U.S. Patent Publication No. 20030078103, incorporated hereinby reference in its entirety for all purposes.

As mentioned previously, there is a need to preserve certain types ofgame play data from gaming machines. Such data may be necessary toaddress disputes that players may have with a casino or other gamingestablishment over whether or not a winning combination occurred, theamount of pay out due, etc. Further, casino operators sometimes need thesame or related information for other reasons such as re-creating eventsthat led to a malfunction, collecting statistical information before apower failure, logging the types of games played over the life of aparticular machine, etc.

Among the types of commonly preserved data is so-called “critical data”or “critical game information,” which must be maintained by casinos orother gaming machine establishments. Such data may be stored as simpletext and/or graphics. In some cases, entire frames of video data may becaptured for this purpose. See for example U.S. patent application Ser.No. 10/758,828 filed Jan. 15, 2004, herein incorporated by reference inits entirety for all purposes.

Typically gaming machines are provided with finite resources for storingthe various types of game play data. Such resources often take the formof non-volatile RAM (NV-RAM), magnetic disk mass storage, etc.

Gaming regulators, such as the Nevada gaming commission, require thatgaming machines save critical data for a certain length of time (e.g., aset number of games) before allowing older critical data to be purgedfrom a gaming machine. To this end, gaming machine manufacturerssometimes store such data in battery-backed non-volatile RAM. Thisallows critical data to be stored without power for long periods oftime. See the discussion in U.S. Pat. No. 6,804,763, herein incorporatedby reference in its entirety for all purposes.

An ancillary issue arises with regard to preserving game data when agame is being removed from a gaming machine. Traditionally, a givengaming machine was born with and died with a single game, e.g., a videopoker game. Modern technology allows games to be removed for variousreasons such as because a license for the game has expired or becausereplacement with a different game is expected to increase revenue. Atechnology enabling such situations is downloadable code for individualgames that can be executed on a given gaming machine or other terminal.In some terminals, only a single game is available for play at any giventime. In other terminals, multiple games are available for userselection at particular instants in time.

Electronic downloading of the necessary software into the gaming machineallows a gaming machine to access scalable server farms and databases toselect a set of games it needs from the game library. A desire of casinooperators after games are safely downloaded is the ability toelectronically move the games around on the casino floor. Casinomanagers routinely move slot machines (entire slot machine) around thefloor in search of the optimum layout. A popular new game might belocated near the door, but an older game might be better suited in theback. A Harley-Davidson™ game might be moved to the front during aBiker's convention, etc.

Currently, when a game is removed from a gaming machine, that “entiregame,” including the game image and all statistical, counter, andhistorical information is deleted together, at one time. The “gameimage” refers to executable code for playing a given game on a mastergaming controller. There are various difficulties with this approach.First, because the history of a game must be preserved, some specialeffort is required to capture that history before the game is wipedclean from the terminal. In some cases, this is done manually by anattendant, who may review meters and other records as necessary at thetime the game is removed. In addition or alternatively, casino personnelmay instruct a server to capture recent accounting and/or game historyinformation as necessary. Obviously, the operator intervention requiredfor these efforts represents some burden for the casino or other gamingestablishment.

On top of the efforts required to capture critical data and otherrelevant game play data, an operator may be required to reset all mannerof ancillary conditions associated with the game before a new game canbe installed on the terminal. For example, the operator may be requiredto re-seed a random number generator, reset various meters, setbackground colors associated with games, etc.

As disclosed in related patent application Ser. No. 10/243,104, a methodand apparatus are taught for dynamically downloading or removing agame(s) stored on a gaming machine without altering or deleting“critical data” unrelated to the added or removed game(s). The termcritical data may be defined as data that records the past and presentstates of a gaming machine. Examples of such states include a game'shistory, accounting, security information, or the like. This type ofcritical data may be stored in a gaming machine's non-volatile memory.In one embodiment when downloading or removing a game(s) in a gamingmachine occurs, critical data is added or removed by allocating orde-allocating memory space in a non-volatile random access memory(NV-RAM) of a gaming machine.

Gaming regulators, such as the Nevada gaming commission, require thatgaming machines prohibit the writing of code, data and/or other gaminginformation to gaming machine disk drives by sources other than trustedmemory sources which have been properly verified and authenticated.Because of such regulatory constraints, it has been conventionalpractice in the gaming industry to design and implement mechanisms forpreserving critical data in the gaming machine's non-volatile RAMwithout utilizing memory storage at the gaming machine's disk drive(s).Thus, for example, a number of embodiments of patent application Ser.No. 10/243,104 relate to methods to maximize the use of free memoryspace in an NV-RAM during the course of the gaming machine's operationand maintenance. A number of embodiments of that patent application alsorelate to methods to efficiently utilize the memory space in an NV-RAMwhen a game is downloaded or removed from a gaming machine. In oneembodiment, a method is disclosed for dynamically sizing the NV-RAMmemory space based on the gaming machine's operational requirements.

Contrary to conventional practice, however, various embodiments of thepresent invention are directed to different techniques for managing thestorage of game related data and/or critical data in both non-volatileRAM and alternate storage of the gaming machine which, for example, mayinclude one or more disk drives. For example, one implementation of thepresent invention is directed to a technique for automatically anddynamically swapping critical data and/or other game related informationbetween the non-volatile RAM (NV-RAM) and the alternate storage (e.g.,disk drive) of the gaming machine as new games are added and/or existinggames are removed to/from the gaming machine.

In at least one embodiment, the technique of the present invention isadapted to take advantage of the fact that games may be divided intodifferent portions having differing preservation needs. These differentportions may be saved to set locations for set periods of time when adownloaded game that was once available on a given gaming terminal mustbe disabled, removed or otherwise made unavailable on the gamingterminal. The removal process may be automated or controlled remotely,although this is not strictly required. Further, the invention may beimplemented using directories of the various game components formultiple downloaded games available to a single gaming terminal.

As suggested previously, one aspect of the present invention involvespreserving a portion of a game containing specified game information,such as historical information, when a game is removed from a gamingterminal. In accordance with this invention, a game may be any game ofchance such as, for example, slot games, video poker games, lotterygames, and the like. A gaming terminal is generally any apparatus thatsupports playing a downloaded game. Examples include stand alone andnetworked gaming machines, personal computers, cell phones, personaldigital assistants, and the like. FIG. 12 depicts a gaming machine,which represents a specific embodiment of a gaming terminal forimplementing the present invention. In order support downloading, agaming terminal may be connected via a network to a source of games fordownloading. Of course, this is not strictly required because, forexample, games may be downloaded from portable memory devices that aretemporarily resident on the gaming terminal.

In accordance with certain embodiments of the invention, a downloadedgame has multiple portions or components, which have differingpreservation requirements. When a downloaded game is to be removed froma gaming terminal, the various components are treated differently interms of (1) whether or not they are preserved, (2) where they arestored, and (3) for how long they are stored. Thus, embodiments of theinvention pertain to partial or staged removal of a downloaded game froma gaming terminal.

A typical game of chance contains logic and data for, among otherthings, processing player inputs, determining a game outcome, presentinga game display to the player (via typically video and audio output), andstoring various pieces of information about the game. One way tovisualize a game is as combination of non-modifiable portions andaccumulative portions. The non-modifiable portions generally include, atleast, executable code for implementing the game, which code processesuser inputs, calculates game outcomes (using typically a random numbergenerator), and presents the game to the user on the gaming terminal.The accumulative portions of a game are typically data and associatedcontextual information specifying such things as game history, gamemeter values, various types of accounting information, specific framesfrom the game play, game outcomes, numbers of games played,denominations played, and the like. In some cases, the accumulativeportion comprises minimal state information required to re-create a gameplay using executing game code. In general, accumulative components are,as their name suggests, portions of the game that are accumulated andtherefore saved at least temporarily.

In certain embodiments, the accumulative portions of the game may bedivided into various subsets of data or derived components distinguishedbased on content. For example, one subset or derived component may bedeemed particularly important for long-term storage and referred to as“permanent” data. Examples of permanent data include number of gamesplayed and the mere fact that a particular game was resident and/orplayed on a particular terminal at one time in the past, and the like.Examples of derived permanent data include, for example, win/lossratios, average payback, and the like. Obviously, designating particularaccumulative data as “permanent” is a choice made based upon theimportance attached to that data by the particular gaming establishmentor regulatory body having control or jurisdiction.

Some accumulative data may be designated as critical data or criticalgame information. The designation of some accumulative data as“critical” is dependent upon the requirements of controlling entitiessuch as casinos and governmental bodies. In typical cases, critical datamay comprise one or more of game history information, securityinformation, accounting information, player tracking information, widearea progressive information and game state information. A few specificexamples of critical data may include, for example, one or more of thefollowing: (1) Main door/Drop door/Cash door openings and closings, (2)Bill insert message with the denomination of the bill, (3) Hopper tilt,(4) Bill jam, (5) Reel tilt, (6) Coin in and Coin out tilts, (7) Powerloss, (8) Card insert, (9) Card removal, (10) Jackpot, (11) Abandonedcard (12) querying the non-volatile memory for the current creditavailable on the gaming machine, (13) reading the credit informationfrom a player's card, (14) adding an amount of credits to the gamingmachine, (15) writing to a player's card via the card reader and thedevice drivers to deduct the amount added to gaming machine from thecard and (16) copying the new credit information to the non-volatilememory. Such information may be required to be kept by, for example,various gaming regulatory bodies (e.g., the Nevada Gaming Commission)for a period of time; e.g., 75 game plays after the information wasaccumulated.

The accumulative data to be saved may take the form of text, graphics,frames, video clips, etc. In the simplest case, it is merely textualdata describing a game's state, history, statistics, etc. A morememory-intensive form of data storage stores frames (essentially bitmaps of video still shots) for selected portions of the gamepresentation; e.g., frames associated with user inputs and presentationof game outcomes. Some of these frames may have embedded or associateddata providing specific details such as state, statistics, etc. asdescribed above. Frame capture for the purpose of preservingaccumulative data is described in, for example, U.S. patent applicationSer. No. 10/758,828 filed Jan. 15, 2004, herein incorporated byreference in its entirety for all purposes. Yet another way to saverelevant game play information is via a game play sequence thatre-presents the game as it appeared originally. This involvespresentation of a series of frames and associated events, including, forexample, user interactive events. It is effectively a movie or videoclip of a game play. To implement this type of replay, it will benecessary to preserve essential state information about the game andthen re-execute the game code using such state information.

In certain embodiments, the non-modifiable component of a game is savedon a hard drive memory and temporarily loaded into main memory forexecution. The accumulative data component (including the permanentdata) is sometimes stored on a non-volatile RAM. See U.S. Pat. No.6,804,763, herein incorporated by reference in its entirety for allpurposes. In certain other embodiments, all components of a game may bestored together on NV-RAM, which takes the form of flash memory, MRAM,or other non-volatile storage media which can inexpensively store largequantities of data. Traditionally, NV-RAM has been chosen as a preferrednon-volatile storage medium for storing critical data because it is ableto handle relatively large data bursts in real time, without introducingdelays in the gaming machine system. By the same reasoning, hard drivememory has traditionally not been desirable as a preferred non-volatilestorage medium for storing critical data because of its relatively slowaccess time compared to NV-RAM, for example.

To trigger a change in storage location or state of a particular gamecomponent (accumulative and/or un-modifiable), a downloaded game (orgames) that was once available on gaming terminal may be madeunavailable for future play. As indicated, a game may be deactivated forvarious reasons such as expiration of a license to the game, poorrevenue generation, etc. A game may be deactivated by one or more of thefollowing techniques: (1) deleting at least a portion of the game fromall memory on the gaming terminal, (2) moving at least a portion of thegame to a different memory device within the terminal or outside theterminal, and (3) rendering the game inactive without moving it from thegaming terminal memory device on which it was once stored. In situation(3), a software mechanism may be control player access to the game,e.g., a flag may be set indicating that the game cannot be presented toa user. Otherwise, the game components may be maintained, as they were,stored on the gaming terminal when the game was available for play.

Depending on the needs of the gaming establishment or the design of agaming terminal, memory for storing game components after deactivationmay be found in any one or more of (1) a local gaming terminal where adownloaded game is played, (2) a peer machine of the terminal, and/or(3) a server networked with the gaming terminal. Any one of thesemachines may include dedicated NV-RAM, main memory volatile RAM, harddrives, etc. They may also include temporarily attached portable memorysuch as optical disks, semiconductor memory devices, etc. As indicate,the various game components may be independently and separately storedon any of these devices.

Depending on which forms of accumulative data are employed, a storageprocedure for preserving game data after deactivation may dictatedifferent types of and locations of storage media. For example, simpletextual data, particularly compacted textual data, may be convenientlystored in NV-RAM, while frames might be more conveniently stored on amass storage device associated with a server or other network componentseparate from the gaming terminal where the game play of interest tookplace.

The accumulative component of a game is optionally compacted orcompressed when the game is deactivated or removed from a gamingterminal. Compaction may be performed either on the gaming terminalitself or at some other location, where the accumulative componentresides for a period of time. Data compaction and compression techniquesare well known to those of skill in the art. Generally, data compactioninvolves a reduction of the number of data elements, bandwidth, cost,and time for the generation, transmission, and storage of data withoutloss of information by eliminating unnecessary redundancy, removingirrelevancy, or using special coding. Examples of data compactionmethods are the use of fixed-tolerance bands, variable-tolerance bands,slope-keypoints, sample changes, curve patterns, curve fitting,variable-precision coding, frequency analysis, and probability analysis.

In accordance with certain embodiments of the present invention, variouscomponents of a game may be stored for various lengths of time afterdeactivation as specified by, for example, a casino policy. The lengthsof storage time specified for particular components may be set accordingto the needs of a gaming establishment, one of which comprisesrequirements of regulatory bodies. The lengths of time may be measuredin terms of a number of relevant events or in terms continuous time(minutes, days, weeks, months, years, etc.). Examples of event-basedstorage times include terminal specific actions such number of gamesplayed on a terminal, number of different players using player trackingcards on the terminal, number of separate payouts, total value ofpayouts, number of bonus events realized, etc.

Assume now that after a downloaded game has been deactivated, a user,regulator, and/or gaming establishment needs to review the accumulateddata associated with game play of the downloaded game. Such review mayinvolve, in the simplest case, presentation of the relevant data (e.g.,critical data or other game history data) in textual form.Alternatively, the review may comprise re-creating the presentation ofthe game to the player by executing game code (un-modifiable component)using game state data stored after the game was removed. In othersituations where particular frames or video clips were maintained asaccumulated data after the game was deactivated or removed, the reviewmay simply involve viewing individual frames or video from the storeddata.

Any of the above types of review can be performed at any location thathas been established (or merely chosen as convenient) by the gamingestablishment or regulator. For example, the review may take place atthe gaming terminal where the game was played. Alternatively, it maytake place at a peer terminal or network server on a gaming network.Some relevant methods and devices involving peer-to-peer file transfersbetween gaming machines are discussed in U.S. patent application Ser.No. 11/173,442 (Attorney Docket No. IGT1P153/P-991) by Kinsley et al.,filed Jul. 1, 2005 and entitled “METHODS AND DEVICES FOR DOWNLOADINGGAMES OF CHANCE,” which is hereby incorporated by reference in itsentirety and for all purposes.

While this invention has been described in terms of several preferredembodiments, there are alterations, permutations, and equivalents, whichfall within the scope of this invention. It should also be noted thatthere are many alternative ways of implementing the methods andapparatuses of the present invention. It is therefore intended that thefollowing appended claims be interpreted as including all suchalterations, permutations, and equivalents as fall within the truespirit and scope of the present invention.

What is claimed is:
 1. A host server comprising: one or more processors;memory storing (a) an algorithm database that includes a plurality ofdifferent security algorithms, and (b) an expected software profile foreach of a plurality of computing devices; and a network interfaceconfigured to communicate with the plurality of computing devices;wherein the one or more processors are configured to perform anintegrity check of at least one of the computing devices by: (a)selecting at least a portion of the stored expected software profile ofthe at least one computing device; (b) selecting one or more of thesecurity algorithms from the algorithm database; (c) generating asecurity code based on (i) the selected portion of the stored expectedsoftware profile of the at least one computing device, and (ii) the oneor more selected security algorithms; (d) transmitting the generatedsecurity code to the at least one computing device via the networkinterface, the generated security code configured to (i) run on the atleast one computing device and (ii) return one or more first results tothe host server; (e) receiving the one or more first results of thegenerated code from the at least one computing device; (f) running thegenerated security code on the stored expected software profile of theat least one computing device, the generated security code configured toreturn one or more second results; (g) comparing the one or more firstresults to the one or more second results; and (h) indicating the atleast one computing device as (i) uncompromised or (ii) compromisedbased on the comparison.
 2. The host server of claim 1, wherein eachstored expected software profile is a portion of the software expectedto be stored on one of the plurality of computing devices; and whereinthe one or more processors are configured to perform the integrity checkof the at least one computing device by: indicating the at least onecomputing device as uncompromised when the one or more first resultsmatch the one or more second results.
 3. The host server of claim 1,wherein the one or more processors are configured to perform theintegrity check of the at least one computing device by: counting a timeupon transmitting the generated security code to the at least onecomputing device via the network interface; comparing the counted timeto a predetermined time; and indicating the at least one computingdevice as compromised when (i) the counted time exceeds thepredetermined time, and (ii) the one or more first results have not beenreceived at the host server.
 4. The host server of claim 1, wherein thegenerated security code is configured to automatically self-delete fromthe at least one computing device after returning the one or more firstresults to the host server.
 5. The host server of claim 1, wherein theone or more processors are configured to: associate a first counted timewith a first computing device of the plurality of computing devices;associate a second counted time with a second computing device of theplurality of computing devices; compare the first counted time with aminimum time limit and a maximum time limit; compare the second countedtime with the minimum time limit and the maximum time limit; perform theintegrity check of the first computing device when the first countedtime is between the minimum time limit and the maximum time limit; andperform the integrity check of the second computing device when thesecond counted time is between the minimum time limit and the maximumtime limit.
 6. The host server of claim 1, wherein the one or moreprocessors are configured to perform the integrity check of the leastone computing device by: selecting the one or more security algorithmsfrom the algorithm database based on the selected portion of the storedexpected software profile of the at least one computing device.
 7. Thehost server of claim 1, wherein the generated security code includes: aplurality of pairings, each pairing including: a selector thatidentifies some code of the selected portion of the stored expectedsoftware profile of the at least one computing device; and an actor thatperforms an action on the identified code.
 8. The host server of claim7, wherein the plurality of pairings include: (a) a first pairing with afirst selector and a first actor, and (b) a second pairing with a secondselector and a second actor; wherein the first actor performs a firsthash action and the second actor performs a second hash action; andwherein the generated security code is configured to (i) run the firstpairing before the second pairing and (ii) combine the first hashproduced by the first actor with the second hash produced by the secondactor.
 9. The host server of claim 7, wherein some of the actors of theplurality of pairings perform a list action and some of the actors ofthe plurality of pairings perform a hash action.
 10. The host server ofclaim 9, wherein the generated security code is configured to: build alist table including a result of each list action; combine the result ofeach hash action into a single value; append the single value to thebuilt list table; and return the appended single value and the builtlist table to the host server as the one or more first results.
 11. Anetworked system including the host server of claim 1 and the pluralityof computing devices, wherein each of the plurality of computing devicesincludes memory storing first data and second data; and wherein each ofthe plurality of computing devices are configured to: enable read accessof the generated security code to the first data and block read accessof the generated security code to the second data.
 12. A method ofoperating a host server including: one or more processors; memorystoring (a) an algorithm database that includes a plurality of differentsecurity algorithms and (b) an expected software profile for each of aplurality of computing devices; and a network interface forcommunicating with the plurality of computing devices; the methodcomprising, via the one or more processors, performing an integritycheck of at least one of the computing devices by: (a) selecting atleast a portion of the stored expected software profile of the at leastone computing device; (b) selecting one or more of the securityalgorithms from the algorithm database; (c) generating a security codebased on (i) the selected portion of the stored expected softwareprofile of the at least one computing device, and (ii) the one or moreselected security algorithms; (d) transmitting the generated securitycode to the at least one computing device via the network interface, thegenerated security code configured to (i) run on the at least onecomputing device and (ii) return one or more first results to the hostserver; (e) receiving the one or more first results of the generatedcode from the at least one computing device; (f) running the generatedsecurity code on the stored expected software profile of the at leastone computing device, the generated security code configured to returnone or more second results; (g) comparing the one or more first resultsto the one or more second results; and (h) indicating the at least onecomputing device as (i) uncompromised or (ii) compromised based on thecomparison.
 13. The method of claim 12, wherein each stored expectedsoftware profile is a portion of the software expected to be stored onone of the plurality of computing devices, and the method includes:counting a time upon transmitting the generated security code to the atleast one computing device via the network interface; comparing thecounted time to a predetermined time; indicating the at least onecomputing device as compromised when (i) the counted time exceeds thepredetermined time, and (ii) the one or more first results have not beenreceived at the host server; indicating the at least one computingdevice as uncompromised when the one or more first results match the oneor more second results.
 14. The method of claim 12, wherein thegenerated security code is configured to automatically self-delete fromthe at least one computing device after returning the one or more firstresults to the host server.
 15. The method of claim 12, including:associating a first counted time with a first computing device of theplurality of computing devices; associating a second counted time with asecond computing device of the plurality of computing devices; comparingthe first counted time with a minimum time limit and a maximum timelimit; comparing the second counted time with the minimum time limit andthe maximum time limit; performing the integrity check of the firstcomputing device when the first counted time is between the minimum timelimit and the maximum time limit; and performing the integrity check ofthe second computing device when the second counted time is between theminimum time limit and the maximum time limit.
 16. The method of claim12, including: selecting the one or more security algorithms from thealgorithm database based on the selected portion of the stored expectedsoftware profile of the at least one computing device.
 17. The method ofclaim 12, wherein the generated security code includes: a plurality ofpairings, each pairing including: a selector that identifies some codeof the selected portion of the stored expected software profile of theat least one computing device; and an actor that performs an action onthe identified code.
 18. The method of claim 17, wherein the pluralityof pairings include: (a) a first pairing with a first selector and afirst actor, and (b) a second pairing with a second selector and asecond actor; wherein the first actor performs a first hash action andthe second actor performs a second hash action; and wherein thegenerated security code is configured to (i) run the first pairingbefore the second pairing and (ii) combine the first hash produced bythe first actor with the second hash produced by the second actor. 19.The method of claim 17, wherein some of the actors of the plurality ofpairings perform a list action and some of the actors of the pluralityof pairings perform a hash action.
 20. The method of claim 19, whereinthe generated security code is configured to: build a list tableincluding a result of each list action; combine the result of each hashaction into a single value; append the single value to the built listtable; and return the appended single value and the built list table tothe host server as the one or more first results.